Introduction of FirewallD tool in CentOS Linux

Introduction of FirewallD tool in CentOS Linux

The FirewallD tool is a control shell for iptables that is used to create static network traffic rules. This tool, which can be used both via the command line and through a graphical user interface, is available in the sources of many Linux distributions. Working with the FirewallD tool compared to using iptables directly has two main differences.

  • FirewallD uses zones and services instead of chains and rules.
  • The management of the set of rules is dynamic. In the sense that it allows the update without disturbing the current status and connection.

Note: FirewallD is a shell for iptables that makes it easier to manage its rules. Therefore, it is not a replacement for iptables. Of course, you can still use iptables commands in the FirewallD tool; But it is recommended that you only use the FirewallD command in FirewallD.

In this article, we intend to introduce you to the FirewallD tool, the concept of its areas and services, and some basic settings. Stay with us.

Installing and managing the FirewallD tool

FirewallD tool is present by default in CentOS 7 Linux operating system, but it is disabled. Its control will be the same as other parts of systemd.

To start the service and enable FirewallD at system startup, we have:

1
2
sudo systemctl start firewalld
sudo systemctl enable firewalld

The following commands are also used to stop and disable this service.

1
2
sudo systemctl stop firewalld
sudo systemctl disable firewalld

Check the firewall status. The output should show whether the service is running or not.

1
sudo firewall-cmd --state

To view the status of the FirewallD tool, we have:

1
sudo systemctl status firewalld

Sample output

1
2
3
4
5
6
7
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-08-08 15:11:24 IST; 23h ago
Docs: man:firewalld(1)
Main PID: 2577 (firewalld)
CGroup: /system.slice/firewalld.service
└─2577 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

To reload the FirewallD utility settings, type the following command.

1
sudo firewall-cmd --reload

FirewallD settings

The FirewallD tool is configured using XML files. Of course, you don’t need to change them unless you need a special configuration, and you should use firewall-cmd instead.

The configuration files are located in two directories.

  • /usr/lib/FirewallD contains settings such as default zones and common services. Be sure to avoid updating them; Because these files will change every time the firewalld package is updated.
  • /etc/firewalld contains system configuration files. These files are written as default settings.

A set of settings

The Firewalld tool uses two sets or series of settings; Instant (Runtime) and Permanent (Permanent) settings. Momentary settings are not saved after restarting FirewallD. This means that permanent changes will not be implemented for a system.

By default, firewall-cmd commands apply the current settings. But if you use the -permanent option in the command, the settings will be made permanently. To add and activate a permanent rule, you can use one of these two methods.

1) Adding the rule to both the current and permanent configuration series

1
2
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=http

2) Adding the rule to the series of permanent settings and restarting the FirewallD tool

1
2
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload

tip

The reload command deletes all the current and momentary settings and applies the default settings. Of course, due to the dynamic nature of firewalld management, current situations and connections are not disrupted.

Firewall zones

Areas or zones are a set of predefined rules for different levels of assurance and are used for certain points or scenarios. After enabling the FirewallD tool for the first time, the default zone will be “Public”.

Zones can also be applied to different network user interfaces. For example, if there are two separate user interfaces for the internal network and the Internet, you can allow the DHCP protocol in the internal network, but allow only HTTP and SSH in the external area. Any user interface that does not have a specific region assigned to it will join the default region.

To view the default area we have:

1
sudo firewall-cmd --get-default-zone

To change the default region, the following command is used.

1
sudo firewall-cmd --set-default-zone=internal

To see the areas used by the interface or network interfaces:

1
sudo firewall-cmd --get-active-zones

Sample output

1
2
public
interfaces: eth0

To get all available settings for a particular zone, type the following command.

1
sudo firewall-cmd --zone=public --list-all

Sample output

1
2
3
4
5
6
7
8
9
10
11
12
13
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

And to get all available settings for all regions:

1
sudo firewall-cmd --list-all-zones

Sample output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
...
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Work with services

The FirewallD tool can allow incoming traffic based on predefined rules for specific network services. You can create custom service rules yourself and apply them to each of the areas. Configuration files for default services are located in /usr/lib/firewalld/services and configuration files for user-defined services are located in /etc/firewalld/services.

Use the following command to view the default available services.

1
sudo firewall-cmd --get-services

An example to enable and disable the HTTP service

1
2
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --remove-service=http --permanent

Allow an arbitrary port or protocol

For example, to allow or deny traffic to port 12345 we have:

1
2
sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent

Port reference

The following example shows forwarding port 80 traffic to port 12345 on the same server.

1
sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345

To direct the traffic of a port to a different server, the following method is used.

1) Activate the masking mode or masquerade in a desired area

1
sudo firewall-cmd --zone=public --add-masquerade

2) Adding the referral rule. In this example, local port 80 traffic is forwarded to port 8080 on a remote server at IP address 198.51.100.0.

1
sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=198.51.100.0

You can replace -add with -remove to remove the rule. For example:

1
sudo firewall-cmd --zone=public --remove-masquerade

Create a series of rules or Ruleset with FirewallD tool

As an example, here we use the FirewallD tool to add basic rules to the server.

Add the dmz zone as the default zone to eth0. This area is considered as the best option to start working with FirewallD application; Because it allows only SSH and ICMP protocols to enter.

1
2
sudo firewall-cmd --set-default-zone=dmz
sudo firewall-cmd --zone=dmz --add-interface=eth0

Add service default rule for HTTP and HTTPS for dmz zone

1
2
sudo firewall-cmd --zone=dmz --add-service=http --permanent
sudo firewall-cmd --zone=dmz --add-service=https --permanent

Now you need to restart the FirewallD tool for the changes to take effect.

1
sudo firewall-cmd --reload

If you run the firewall-cmd –zone=dmz –list-all command, you will probably see the following output.

1
2
3
4
5
6
7
8
9
dmz (default)
interfaces: eth0
sources:
services: http https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

This output tells us that the dmz zone is the default zone and is used for the eth0 interface, all network resources and ports. HTTP (port 80), HTTPS (port 443) and SSH (port 22) incoming traffic will be allowed and since there is no restriction on IP versions, this is done for both IPv4 and IPv6 protocols. There will be no port forwarding. No ICMP traffic is allowed. Also, all outgoing traffic is allowed.

advanced settings

Services and ports are suitable for basic configuration. But at the same time, they can limit the work for advanced scenarios. Tools called Rich Rules and Direct Interface allow you to add completely custom rules to the firewall for any zone and with any port and protocol.

Rich Rules

The rich rules format is very extensive, which is fully explained in the firewalld.richlanguage help page. At the same time, you can manage it using the –add-rich-rule, –list-rich-rules and –remove-rich-rule options in the firewall-cmd command.

Here are some of the most common examples.

Allow IPv4 traffic from host 192.0.2.0

1
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.0.2.0 accept'

Block IPv4 traffic over TCP from host 192.0.2.0 to port 22

1
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.0.2.0" port port=22 protocol=tcp reject'

Allow IPv4 traffic through TCP from host 192.0.2.0 to port 80 and refer it to port 6532

1
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=192.0.2.0 forward-port port=80 protocol=tcp to-port=6532'

Forward all IPv4 traffic on port 80 to port 8080 on host 198.51.100.0 (masquerade must be enabled in the zone).

1
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=198.51.100.0'

To view all the Rich Rules in the public area, we have:

1
sudo firewall-cmd --zone=public --list-rich-rules

Direct iptables user interface

For professional iptables users, the FirewallD tool provides a direct user interface that provides the execution of raw iptables commands. These rules will not be permanent; Unless they are combined with the -permanent option.

Use the following commands to view all chains or rules added to FirewallD.

1
2
firewall-cmd --direct --get-all-chains
firewall-cmd --direct --get-all-rules

Of course, the topic of iptables templates in the FirewallD tool is beyond the educational discussion in this article, and you may want to get help from the following sources for more information.

support hosting100